Currently, in NSS_3_6_BRANCH, including the RTM, and on the tip, addbuiltin is broken. It generates output that does not have the issuer serial number in the trust object. These are now required in NSS 3.6 due to a new optimization. This is what bit us for the AOL roots, and bit us again for the TC trustcenter roots. The addbuiltin tool needs to be updated before it can be used again without having to manually patch the output.
Created attachment 102633 [details] [diff] [review] Add issuer & sn to trust object so that generated output is valid for NSS 3.6+
I tested the attached patch to regenerate the TC Trustcenter root, and it worked. The output was generated correctly with the trust, and the resulting DLL had the new roots trusted in Mozilla.
Checked in to the tip : Checking in addbuiltin.c; /cvsroot/mozilla/security/nss/cmd/addbuiltin/addbuiltin.c,v <-- addbuiltin.c new revision: 1.4; previous revision: 1.3 done Also on 3.6 branch : Checking in addbuiltin.c; /cvsroot/mozilla/security/nss/cmd/addbuiltin/addbuiltin.c,v <-- addbuiltin.c new revision: 220.127.116.11; previous revision: 1.3 done
I suggest to land this patch on the client tag, so the tools included in the source snapshot for Mozilla 1.2 will be correct.
Kai, Technically, this patch was made in 3.6.1, which is still being worked on. Wan-Teh, do we want to tag this patch with NSS_CLIENT_TAG ? This would mean that the client tag would be slightly past NSS_3_6_RTM .
The Mozilla client doesn't need this patch for addbuiltin but eventually NSS_CLIENT_TAG will be based on the NSS_3_6_BRANCH and pick up this fix.
Comment on attachment 102633 [details] [diff] [review] Add issuer & sn to trust object so that generated output is valid for NSS 3.6+ r=wtc.